Mistakes still plague health care organizations’ security
The underground markets for stolen electronic medical records must be thriving these days. Medical and healthcare information has been one of the hottest commodities for cyber thieves for the past several years, far surpassing credit card information and Social Security numbers, and its value only looks to keep increasing. Just last year, a measly bundle of 10 Medicare numbers sold for around $4,700 on the black market.
Meanwhile, as stories about Apple and the OPM and international cybersecurity tensions dominate the news, numerous healthcare data breaches, which don’t have quite the same glamour, still provide thousands of patients with headaches. It’s frustrating to read and write about, as well, thanks to the simplicity involved in some of these incidents, which could have easily been prevented. An unsecured database accidentally made accessible to website users exposed names, numbers and health information for around 3,000 Einstein Healthcare Network patients.
Stolen or lost devices also continue to be a prime cause in security breaches, as Minnesota-based pharmacy care OptumRx discovered last month. Worse is when the laptop is not encrypted when it’s snatched from an employee’s vehicle, which is exactly what happened here. Prescription drug and prescribing provider information were among the data at risk. Nor was a flash drive encrypted that was lost in the mail, making the PHI of almost 3,000 patients of the Barbara Ann Karmanos Cancer Institute vulnerable. Another laptop, along with several hard drives, taken from the federal Office of Child Support Enforcement when burglars broke into the building, may have contained around 5 million names and Social Security numbers.
And sometimes, people’s sensitive information is just dropped right in the lap of unauthorized parties, such as when federal law enforcement officials acquired a list with the health information of over 1,000 patients of the Florida Department of Health.
Though these incidents don’t produce the staggering numbers of an Anthem breach, or carry the social and legal ramifications of Apple’s encryption policies, they are still important. Carelessness of the type shown in these situations becomes ever harder to excuse with each passing year, as public awareness and education on the problem of data breaches and danger to your personal information grows. We have enough infosec issues without just handing over extra stashes of protected information to cyber thieves. Don’t make it too easy for them.